Checking Audit Logs for Tampering - 18 Dec 2006
Four specific situations indicate that your audit logs might have been altered.
December 17, 2006
Is there anything built into Windows that can verify that the Securityevent log hasn’t been tampered with (i.e., modified, added to, or deletedfrom)?
First, it’s important to understand that tampering with the Windows event logs isn’t easy. One can’t open the Windows Security log and directly edit it because the event logging service always has the file opened exclusively. Furthermore, there’s no API in Windows for changing or deleting events in the Security log—only for reporting new events. Basically, one must have either administrator authority or physical access to tamper with the Security log.
That said, you can’t be absolutelysure that the log hasn’t been tampered with—the best you can do iskeep a sharp eye out for evidence thatthe log might have been altered. Lookfor the following events or occurrences:
Event ID 517, which indicates that the audit log was cleared and reports who cleared it.
Event ID 512, which logs a system restart. The system (including the Security log) is vulnerable to tampering during a system restart.
The Event Log Service inexplicably crashes or you find a file called dummy.dat in C:windowssystem32
config. These occurrences can indicate that someone with administrative authority executed Win-Zapper, a hacker tool that can be used to delete event log records.
An administrator account is compromised, meaning someone could try to use the compromised account to alter the Security log.
The best way to ensure theintegrity of the Security log is to sendsecurity events as they occur toanother system that’s secured withseparate administrator credentials.Many Security log consolidation products include the functionality toensure the confidentiality and integrityof the Security log as it traverses thenetwork. Windows versions beforeWindows Vista lack this functionality,but there are many event log management solutions that ensure confidentiality and integrity with or withoutagents. For information about free logmanagement tools, see “Security LogCollection,” November 2006, Instant-Doc ID 93330.
About the Author
You May Also Like